W dniu 08.04.2025 o 21:11, Schmitt, Michael pisze:
A hypothetical IT department wants all tape systems, including z/OS, to turn on
WORM (Write Once Read Many) so that the tapes are immutable. The reason is for
prevention of ransomware attaches from altering backup data.
My question is: how does this help? If an attacker has the access and
authorization to update a tape, they also have the access and authorization to
copy the tape data to a new tape with altered data.
When we restore from a backup, we don't consult a post-it note that says "now mount
volume T13439". We mount whatever volume the tape catalog system says contains the
data set we need.
What am I missing?
A lot of things are missed.
1. Assuming the ransomware attack is possible (which is *good*
assumption!) you cannot trust any of your system structures, including
RACF db, tape catalog, etc.
2. You cannot trust your ...backup copy. Disk or any online copy can be
altered. Air gap? WORM? Both provide some isolation, but... maybe it was
too late? Maybe you air gapped, WORM copy is already altered by ransomware?
3. How to recognise altered backup copy? In general you cannot. Note,
some ransomware attacks allow to open encrypted files before the attack
is finished. Note, the ransomware can be pervasive or not. How to
recognise *one* altered file among hundreds of thousands other? How to
do it *everyday*? The are some tools for that, but none of them provide
100% accuracy and 100% certainty.
4. Is your latest copy altered? Maybe the previous one is healthy?
That's one of the most common and quite reasonable methods. However when
talking about tape - is it possible to perform *full* copy everyday?
5. Why everyday? Maybe twice a day? Or every 4 hours? But... how?
6. Here comes... (I am *not* sales guy!) disk snapshot plus some
"WORM-like" features. IBM calls it Safeguarded copy. Yes, you can
perform many shapshots a day, all of them are incremental. None of them
are accessible from the source system, even if you have all the
authorities like Administrator, root, SPECIAL, etc. Access to the copy
require special procedure and it is always read-only.
Short version: forget about tapes. WORMs are good for archival copies.
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
